[Samba] Rights issue on GPO

Sébastien Le Ray sebastien-samba at orniz.org
Fri Jun 10 06:52:13 UTC 2016


Hi


Le 09/06/2016 à 20:42, Rowland penny a écrit :
> On 08/06/16 15:34, mathias dufresne wrote:
>> Hi all,
>>
>> [snip]
>> And we get issue with Linux ACLs: they are not the same because some
>> BUILTIN users and/or groups do not have same id mapping on all DC.
>>
>> How to force all DC to get same id mapping?
>>
>> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still 
>> important
>> or are we supposed to use Windows ACLs only into stored into some Samba
>> file? In that case, which file(s)?

They're stored in each file xattr as an obscure base64 encoded value
BUT in all cases unix permissions applies when accessing through samba. 
So disabling ACLs means that you've to set the properties correctly to 
allow "samba" unix users to access files (there's no clear doc on that…)

> OK, first you do not need this on a DC: 'winbind nss info = rfc2307'
>
> Secondly, your different id mappings for BUILTIN users & groups is a 
> well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber' 
> attributes and seem to be given on a first come basis, only problem 
> is, the groups etc don't connect in the same order on every DC.

Wasn't this supposed to be solved in 4.2?
https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups
The wiki seems to say that Builtin xID are now replicated but there is 
no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping will 
be stored in 4.2 winbind? What happens when you upgrade the 4.1 to 4.2?)

>
> To get the same ID's on every DC, you will have to copy idmap.ldb from 
> the first DC to every other DC, run 'net cache flush' and then keep 
> 'idmap.ldb' in sync.
>
Regards



More information about the samba mailing list